This article was accidentally deleted. This is a recreated and enhanced version.

This is the final installment for this Kerberos series. I’ve listed the various parts of the series below for easy reference. Initially, the idea of a SPN setup tool was introduced. The next segments walked through some of the set up needed for Active Directory, IIS, and IE. Part 5 has the best troubleshooting tools available to help you resolve any issues with your setup.

Domain\MOSS2007webapp (IIS Identity – Assumes only 1 main portal site being configured)

http/ServerPPSAlias

http/ServerPPSAlias.domain.com

A few things to note about the above SPNs.

For an programs that use IIS sites (SharePoint, PerformancePoint, ProClarity, SSRS), most likely the SPNs will contain http or https

For relational data, the SPNs will be MSSQLSvc

For OLAP data, the SPNs will be MSOLAPSvc.3 (assumes SQL Server 2005 and higher)

Delegation

Once the SPNs are set up and checked for duplicates, you must delegate. Basically, Constrained Delegation is the process of setting up a trust between accounts on various machines for a particular service. The way that I think about this is to follow the data for the delegations needed.

For example, I would like the following to happen:

View SSRS reports from within SharePoint

View PerformancePoint dashboards from within SharePoint that contain both SSRS reports and ProClarity (cube) reports

SSRSwebapp delegates to SSASService and SQLService – already done above for SSRS reports from within SharePoint

Note: You do not need to have MOSS2007webapp delegate to PPSwebapp because you have deployed the PerformancePoint dashboard to SharePoint. Basically, the dashboard is now running as MOSS2007webapp instead of PPSwebapp.

Make sure not to delegate the same thing twice. Some paths following the data exist for both SharePoint and PerformancePoint (i.e.: SSRSwebapp –> SSASService and SQL service)

Many blogs and articles have erroneously stated that you must use the same application pool identity for PerformancePoint and SharePoint. This is not necessarily true. Mainly this is done because people don’t understand how to delegate and set up the proper security for SSRS, SSAS, etc. for multiple service accounts. Some older technologies may require this scenario to overcome various issues with browsers, ports, etc.

What if you wanted to use a SharePoint list as the data source for a PerformancePoint report and view it from within PerformancePoint Preview site?

Hint: Follow the data path. Would PPSwebapp have to delegate to MOSS2007webapp?

Setup Tool Needed

Now that we have reviewed some of the basics of Kerberos setup, and walked through an example, I would like to make a tool that helps create the SPNs needed for Microsoft products. My question to the community is:

What additional features would you like to see in a Kerberos SPN setup tool? Leave your suggestions below.

First off great article. When you say “SSRSwebapp delegates to SSASService and SQLService “…Does this mean delegation needs to be setup on the SSRS Service Account – to “allow delegation to the MSSQL Service Account? Does setting up both SPN + delegation also apply to a single server SSRS + SQL Engine setup? Is it absolutely necessary for Windows Integrated Security to work?